Rate Limiting
Protect your API with configurable rate limits.
Configuration
json
{
"rateLimit": {
"enabled": true,
"default": {
"windowMs": 60000,
"max": 100
}
}
}Options
| Option | Type | Default | Description |
|---|---|---|---|
windowMs | number | 60000 | Time window in ms |
max | number | 100 | Max requests per window |
message | string | Custom error message | |
statusCode | number | 429 | HTTP status code |
skipSuccessfulRequests | boolean | false | Only count failed requests |
skipFailedRequests | boolean | false | Only count successful requests |
Per-Endpoint Limits
json
{
"rateLimit": {
"enabled": true,
"default": {
"windowMs": 60000,
"max": 100
},
"perEndpoint": {
"/api/heavy": {
"windowMs": 60000,
"max": 10
},
"/api/auth/login": {
"windowMs": 300000,
"max": 5,
"message": "Too many login attempts"
}
}
}
}Route-Level Limits
json
{
"path": "/api/expensive",
"method": "post",
"rateLimit": {
"max": 5,
"windowMs": 60000
}
}Response Headers
Rate limit info in response headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1704067200Tenant Rate Limits
Per-tenant limits in tenant config:
json
{
"rateLimit": {
"enabled": true,
"default": {
"windowMs": 60000,
"max": 1000
}
}
}Rate Limit Response
When limit exceeded:
json
{
"error": "Too many requests",
"message": "Rate limit exceeded. Try again later.",
"retryAfter": 45
}HTTP Status: 429 Too Many Requests
Best Practices
- Set conservative defaults
- Lower limits for authentication endpoints
- Higher limits for read operations
- Use
skipSuccessfulRequestsfor login endpoints - Monitor rate limit hits in analytics